Photo of Wendell Bartnick

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with

Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the policies, procedures, and operational changes necessary to comply with the law.

Five amendments passed: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Significant impacts of the amendments that were enacted include:

  • The amendments clarify that, at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business interactions but only in certain respects.
  • The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
  • The amendments exclude from CCPA applicability certain processing of consumer report data is already governed by the federal Fair Credit Reporting Act.
  • The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
  • The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.

Continue Reading Last minute amendments likely finalize CCPA language for January 1 deadline.

On April 18, 2019, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) requesting comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1. As written, CIP-012-1 will require responsible entities to implement controls to protect communication links and data transmissions in an effort to mitigate cybersecurity risks to communications between

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs  building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when

Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA) stands out among state biometrics statutes nationwide in that it includes a private right of action for anyone “aggrieved” by a private entity’s failure to comply with BIPA’s compliance requirements. The Illinois Supreme Court recently ruled that a plaintiff may assert that they are

On January 25, 2019, a settlement agreement was reached between a utility company, which allegedly violated the Critical Infrastructure Protection (CIP) Reliability Standards, and the North American Reliability Corporation (NERC). Through this settlement, NERC provides guidance to the electric industry for compliance with the CIP Reliability Standards. The substantial penalties should prompt companies to educate

The President has made artificial intelligence technology a policy priority. On February 11, 2019, the President issued an Executive Order to direct most federal executive agencies to promote and protect American advancements in artificial intelligence while working with private industry. The order recognized that public trust in artificial intelligence is an important factor in the development and use of the technologies, and highlights the need to “protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.”>

Specifically, the President ordered the agencies to consider artificial intelligence as a research and development priority and

  • Invest in artificial intelligence (for example, machine learning) research and development.
  • Enhance access to data, models, algorithms, and computing resources to promote artificial intelligence research and development (consistent with obligations to maintain safety, security, privacy, and confidentiality).
  • Reduce barriers to the use of artificial intelligence (for example, machine learning) technologies.
  • Help develop technical standards that minimize vulnerability to attacks and “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
  • Train a workforce that can develop and take advantage of developments in artificial intelligence.
  • Develop an action plan to “to protect the advantage of the United States in AI and technology critical to United States economic and national security interests against strategic competitors and foreign adversaries.”

Continue Reading President prioritizes research, development, and deployment of artificial intelligence technology

The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of particulars, but we focus here on the most notable new requirements.

Notable updates

Notices to affected individuals. The updated statute may require an organization to provide affected individuals with multiple (that is, repeat) notifications if after the initial notice the organization discovers information that updates or corrects the information required to be in such notifications. Other breach notification laws, like the EU’s General Data Protection Regulation and Canada’s breach notification law, may impose an ongoing obligation on organizations to notify regulators with updated information about breaches, but the Massachusetts statute may apply that same obligation to individual notices. The statute also sets forth additional content categories that the notices must contain.Continue Reading Notable challenges from the updated Massachusetts data breach notification law

In late 2018, the Federal Energy Regulatory Commission (FERC) published a final rule updating and adding to the Critical Infrastructure Protection (CIP) Reliability Standards, which are intended to help protect the bulk electric system (BES) in North America against cybersecurity risks. The final rule:

  • Creates a new Supply Chain Risk Management Reliability Standard (CIP-013-1)
  • Updates